[英]Kubernetes RBAC to restrict user to see only required resources on kubernetes dashboard
Hi Everyone, I want to restrict my developers to be able to see only required resources on kubernetes dashboard(For example only their namespace not all the namespaces).大家好,我想限制我的开发人员只能在 kubernetes 仪表板上看到所需的资源(例如,只有他们的命名空间而不是所有的命名空间)。 Is possible to do that .
有可能做到这一点。 If yes can someone point me to the right documents ?
如果是,有人可以指出我正确的文件吗? Many Thanks
非常感谢
I am using the below RBAC for the kube-system
namespace.我将以下 RBAC 用于
kube-system
命名空间。 However the user is able to see all the namespaces on the dashboard rather than seeing only the namespaces he has access to.然而,用户能够在仪表板上看到所有命名空间,而不是只看到他有权访问的命名空间。
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: kube-system
name: dashboard-reader-role
rules:
- apiGroups: [""]
resources: ["service/proxy"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dashboard-reader-ad-group-rolebinding
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dashboard-reader-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: "****************"
please see the k8s rbac documentation:请参阅 k8s rbac 文档:
example: create a developer role in development namespace:示例:在 development 命名空间中创建开发人员角色:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: development
name: developer
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["list", "get", "watch"]
# You can use ["*"] for all verbs
then bind it:然后绑定它:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: developer-role-binding
namespace: development
subjects:
- kind: User
name: DevDan
apiGroup: ""
roleRef:
kind: Role
name: developer
apiGroup: ""
also , there is a built in view only role that u can bind to user:此外,还有一个内置的仅查看角色可以绑定到用户:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings
C02W84XMHTD5:~ iahmad$ kubectl get clusterroles --all-namespaces | grep view
system:aggregate-to-view 17d
view 17d
but this is clusterwide view role , if you want them to see only the stuff in a specific namespace only then create a view role in that namespace and bind it , exmaple above.但这是集群范围的视图角色,如果您希望他们只看到特定命名空间中的内容,则仅在该命名空间中创建一个视图角色并绑定它,例如上面的示例。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.